Source: mosquitto Version: 1.4.10-1 Severity: grave Tags: patch security upstream Forwarded: https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113
Hi, The following vulnerability was published for mosquitto. Planned to be fixed in a DSA, and needs to be fixed for buster as reason for the RC severity filling. CVE-2017-7653[0]: | The Eclipse Mosquitto broker up to version 1.4.15 does not reject | strings that are not valid UTF-8. A malicious client could cause other | clients that do reject invalid UTF-8 strings to disconnect themselves | from the broker by sending a topic string which is not valid UTF-8, | and so cause a denial of service for the clients. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7653 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7653 [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113 [2] https://github.com/eclipse/mosquitto/commit/729a09310a7a56fbe5933b70b4588049da1a42b4 Regards, Salvatore
